修正phpBB 2.0.x兩個安全漏洞 (轉)
修正phpBB 2.0.x兩個安全漏洞 (轉)[@more@]BB開發組最近公佈了phpBB 2.0.x兩個的修正辦法:
1. 注射漏洞:
修改viewtopic.php。在
程式碼: if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
}
之前加入:
程式碼: $topic_id = $post_id = false;
將以下程式碼:
程式碼: $join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
替換為:
程式碼: $join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
2. styles_admin 越界訪問漏洞:
修改admin/admin_styles.php。
將以下程式碼:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb__path = "./../";
$confi= ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
if (empty($HTTP_POST_VARS['send_file']))
{
$no_page_header = ( $cancel ) ? TRUE : FALSE;
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
}
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
替換為:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;
require('./pagestart.' . $phpEx);
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
也可直接升級到phpBB 2.0.5。(hutuworm編譯)
1. 注射漏洞:
修改viewtopic.php。在
程式碼: if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
}
之前加入:
程式碼: $topic_id = $post_id = false;
將以下程式碼:
程式碼: $join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
替換為:
程式碼: $join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";
$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
2. styles_admin 越界訪問漏洞:
修改admin/admin_styles.php。
將以下程式碼:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb__path = "./../";
$confi= ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
if (empty($HTTP_POST_VARS['send_file']))
{
$no_page_header = ( $cancel ) ? TRUE : FALSE;
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
}
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
替換為:
程式碼: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;
require('./pagestart.' . $phpEx);
if ($cancel)
{
redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
也可直接升級到phpBB 2.0.5。(hutuworm編譯)
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-997952/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- phpBB安裝PHP
- lamp 以及ucenter、phpBB、discuz! 搭建LAMPPHP
- Oracle的多個未明安全漏洞列表一覽(轉)Oracle
- phpBB下載連結被黑客篡改PHP黑客
- java兩個控制語句(轉)Java
- Delphi 6 SOAP 原始碼中的BUG修正 (轉)原始碼
- 起泡法按照時間排列檔案(FSO)(修正) (轉)
- 微軟警告:Java虛擬機器發現2個重要安全漏洞(轉)微軟Java虛擬機
- Nginx querystring 轉寫的兩個例子Nginx
- android之兩個activity相互跳轉Android
- MySQL又曝出多個安全漏洞MySql
- Gitea 釋出 1.0.2 版本,修正幾個嚴重的 bugGit
- 【轉】一個兩年Java的面試總結Java面試
- EventBus實現兩個Fragment直接的跳轉Fragment
- 簡單實現兩個activity相互跳轉
- UPDATE注射(mysql+php)的兩個模式(轉)MySqlPHP模式
- 彙編中引數的傳遞和堆疊修正(轉)
- Linux 2.6核心*必須修正*問題列表 ver 6 (轉)Linux
- 全球6個最大的資料安全漏洞
- 微軟6月修正31個漏洞創單日最高記錄微軟
- python 列表轉為字典的兩個小方法Python
- C#比較兩個字串的相似度【轉】C#字串
- Java中的兩個特殊變數this和super (轉)Java變數
- 在一臺機器配置兩個listener(Oracle)(轉)Oracle
- C++箴言:理解typename的兩個含義(轉)C++箴言
- 兩個月備戰PMP經驗總結(轉)
- Delphi中兩個BUG的分析與修復 (轉)
- Oracle尚存44個漏洞 兩年半前就已有(轉)Oracle
- 中文Windows 2000登入安全漏洞 (轉)Windows
- Sql語句密碼驗證安全漏洞(轉)SQL密碼
- Struts2 兩大高危安全漏洞,網站安全再受考驗網站
- Gitea 釋出 1.0.2版本,修正幾個嚴重的bugGit
- sql取兩個值之間的資料方法(轉)SQL
- 巧用MSDOS.SYS同時裝兩個Windows 98(轉)Windows
- Sun公司釋出警告 Java中存在安全漏洞 (轉)Java
- 烽火狼煙丨Microsoft多個安全漏洞風險提示ROS
- 解決兩個難懂的安全性問題(轉)
- Oracle中對兩個資料表交集的查詢(轉)Oracle